Bug 1134348

Summary: httpd doesn't start
Product: [Fedora] Fedora Reporter: Nils Philippsen <nphilipp>
Component: httpdAssignee: Jan Kaluža <jkaluza>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: jkaluza, jorton, nphilipp, pahan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd-2.4.10-9.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-23 04:51:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils Philippsen 2014-08-27 11:15:23 UTC 
Description of problem:
After updating to 2.4.10-6.fc21 or higher, httpd doesn't start. It mentions SSL cipher errors in the logs.

Version-Release number of selected component (if applicable):
httpd-2.4.10-7.fc21.x86_64
mod_ssl-2.4.10-7.fc21.x86_64

How reproducible:
Reproducible.

Steps to Reproduce:
1. systemctl start httpd.service

Actual results:
root@gibraltar:~> systemctl start httpd.service
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
root@gibraltar:~> systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: failed (Result: exit-code) since Wed 2014-08-27 13:09:24 CEST; 4s ago
  Process: 21771 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 21769 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 21769 (code=exited, status=1/FAILURE)

Aug 27 13:09:24 gibraltar systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Aug 27 13:09:24 gibraltar kill[21771]: kill: cannot find process "".
Aug 27 13:09:24 gibraltar systemd[1]: httpd.service: control process exited, code=exited status=1
Aug 27 13:09:24 gibraltar systemd[1]: Failed to start The Apache HTTP Server.
Aug 27 13:09:24 gibraltar systemd[1]: Unit httpd.service entered failed state.
root@gibraltar:~> journalctl -xn
-- Logs begin at Mon 2013-12-30 12:45:11 CET, end at Wed 2014-08-27 13:09:24 CEST. --
Aug 27 13:09:17 gibraltar systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Aug 27 13:09:17 gibraltar kill[21753]: kill: cannot find process "".
Aug 27 13:09:17 gibraltar systemd[1]: httpd.service: control process exited, code=exited status=1
Aug 27 13:09:17 gibraltar systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit httpd.service has failed.
-- 
-- The result is failed.
Aug 27 13:09:17 gibraltar systemd[1]: Unit httpd.service entered failed state.
Aug 27 13:09:24 gibraltar systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Aug 27 13:09:24 gibraltar kill[21771]: kill: cannot find process "".
Aug 27 13:09:24 gibraltar systemd[1]: httpd.service: control process exited, code=exited status=1
Aug 27 13:09:24 gibraltar systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit httpd.service has failed.
-- 
-- The result is failed.
Aug 27 13:09:24 gibraltar systemd[1]: Unit httpd.service entered failed state.
root@gibraltar:~> 

--- 8< --- /var/log/httpd/error_log ---
[Wed Aug 27 13:09:24.547483 2014] [core:notice] [pid 21769] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed Aug 27 13:09:24.548609 2014] [suexec:notice] [pid 21769] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Aug 27 13:09:24.548966 2014] [ssl:emerg] [pid 21769] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information
AH00016: Configuration Failed
--- >8 --------------------------------

--- 8< --- /var/log/httpd/ssl_error_log ---
[Wed Aug 27 13:09:24.548937 2014] [ssl:emerg] [pid 21769] AH01898: Unable to configure permitted SSL ciphers
[Wed Aug 27 13:09:24.548960 2014] [ssl:emerg] [pid 21769] SSL Library Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
--- >8 ------------------------------------

Expected results:
httpd starts

Additional info:
Downgrading to 2.4.10-3.fc21 makes it start again. I think it may be related to this change:

* Thu Aug 21 2014 Joe Orton <jorton> - 2.4.10-6
- mod_ssl: treat "SSLCipherSuite PROFILE=..." as special (#1109119)
- switch default ssl.conf to use PROFILE=SYSTEM (#1109119)
Comment 1 Jan Kaluža 2014-08-27 11:16:48 UTC 
Hi, what version of openssl package do you use please?
Comment 2 Nils Philippsen 2014-08-27 13:15:53 UTC 
openssl-1.0.1i-3.fc21.x86_64
Comment 3 Joe Orton 2014-08-29 14:09:33 UTC 
Commit: http://pkgs.fedoraproject.org/gitweb/?p=httpd.git;a=commitdiff;h=793563ad40c65d89906e61a3f83ded4dcb7996f8
Package: httpd-2.4.10-8.fc22
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=573375
Comment 4 Joe Orton 2014-08-29 14:41:39 UTC 
This was a dumb error by me, sorry.  I put "PROFILE=DEFAULT" not "PROFILE=SYSTEM" into ssl.conf.
Comment 5 Joe Orton 2014-08-29 14:59:21 UTC 
Commit: http://pkgs.fedoraproject.org/gitweb/?p=httpd.git;a=commitdiff;h=a52322721dcf711892b35ccec24453184014e1a8
Package: httpd-2.4.10-8.fc21
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=573409
Comment 6 Nils Philippsen 2014-09-02 09:06:31 UTC 
(In reply to Joe Orton from comment #5)
> Commit:
> http://pkgs.fedoraproject.org/gitweb/?p=httpd.git;a=commitdiff;
> h=a52322721dcf711892b35ccec24453184014e1a8
> Package: httpd-2.4.10-8.fc21
> Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=573409

Would you submit an update for that? Thanks!
Comment 7 Fedora Update System 2014-09-03 07:27:40 UTC 
httpd-2.4.10-8.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/httpd-2.4.10-8.fc21
Comment 8 Fedora Update System 2014-09-03 15:29:43 UTC 
httpd-2.4.10-9.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/httpd-2.4.10-9.fc21
Comment 9 Fedora Update System 2014-09-06 01:01:39 UTC 
Package httpd-2.4.10-9.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing httpd-2.4.10-9.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-10234/httpd-2.4.10-9.fc21
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2014-09-23 04:51:08 UTC 
httpd-2.4.10-9.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.